Snooper’s Charter: Web browsing history stored for a year, no bans on encryption

UK gov't backs down on crypto bans, but calls for major extension of surveillance powers.

The UK home secretary, Theresa May, confirmed today that the UK government will seek to force all ISPs to retain a record of your Web browsing history for the previous year, even though the existence of tools like Tor and VPNs can make such data useless. This "Internet Connection Record" will be "a record of the Internet services a specific device has connected to, such as a website or instant messaging application." It does not include details of individual webpages visited.

Moreover, the police will only be able to request details about accessing certain classes of website. As May explained in her statement to the House of Commons when she introduced the draft Investigatory Powers Bill: "They would only be able to make a request for the purpose of determining whether someone had accessed a communications website, an illegal website or to resolve an IP address where it is necessary and proportionate to do so in the course of a specific investigation." She went on to explain, "If someone has visited a social media website, an Internet Connection Record will only show that they accessed that site, not the particular pages they looked at, who they communicated with, or what they said."

On the vexed issue of encryption, May said categorically that the new Bill "does not ban encryption or do anything to undermine security of people's data." However, as regards requests for access to encrypted communications, she said the government expected Internet companies "to take reasonable steps to respond to that warrant in an unencrypted form," without explaining further how they might do that, or what would happen if they failed to do so. She also confirmed that the Bill would not require UK telcos to capture and store Internet traffic originating from US companies—another controversial idea that was rumoured to be under consideration.

Double lock

May is changing how surveillance is authorised in an important way. Although she will make the initial decisions about when warrants should be issued, the warrant is not implemented until a judge has approved it—what May called a "double lock." In emergency situations, the home secretary will be able to authorise surveillance immediately, but a judge will then need to review the decision and may cancel it. The UK government will be updating overall oversight of surveillance by replacing the current system involving multiple commissioners with a single "Investigatory Powers Commissioner." This new role will consist of "a senior judge, supported by a team of expert inspectors with the authority and resources to effectively, and visibly, hold the intelligence agencies and law enforcement to account," according to May.

Another major element of the Investigatory Powers Bill (aka the Snooper's Charter) is a legal footing for GCHQ's powers to "interfere with" any computer system, anywhere in the world. This includes listening to phone calls, tracking locations, copying data, and turning on microphones or cameras on mobile phones for the purpose of surveillance. This basically gives GCHQ permission to break into computer systems outside the UK without needing a warrant.

This particular aspect of the new Bill is no surprise: earlier this year, the UK government ran a public consultation on the draft interception of communications code of practice and the draft equipment interference code of practice, which proposed precisely these powers. This part of the Snooper's Charter will legalise once and for all the mass surveillance being carried out by GCHQ, first revealed by Edward Snowden in 2013. In her speech, May revealed that, until now, the government has drawn on antiquated powers granted by the Telecommunications Act 1984.

May said in her statement that "the Bill will make explicit provision for all of the powers available to the security and intelligence agencies to acquire data in bulk. That will include not only bulk interception provided under the Regulation of Investigatory Powers Act [RIPA] and which is vital to the work of GCHQ, but also the acquisition of bulk communications data, both relating to the UK and overseas." This statement undercuts May's repeated claim that the new Investigatory Powers Bill was not about mass surveillance, and her attempts to deny that it was in any way a "Snooper's Charter."

In an obvious attempt to head off concerns about abusive access to such massive stores of highly-sensitive personal data, May also announced that local authorities will not be permitted to access Web browsing histories and that a new criminal offence with a two-year prison sentence will be created to prevent the abuse of such communications data by public authorities.

Unfortunately, the new Bill doesn't address the issue of criminals breaking into databases via the Internet. Recent security breaches at TalkTalk and Vodafone indicate that ISPs and telcos are hardly shining examples of how to look after important personal data.

Further Reading

This aspect seems to have been ignored by the UK government, which is troublesome when you consider that these huge stores of information reveal some of the most intimate details of our lives. This data is not only perfect blackmail material, but it'll also likely to be of great interest to foreign nations, which may already be targeting key collections of personal information in other countries for future use.

Both Labour's Andy Burnham and Nick Clegg expressed their broad support for the Investigatory Powers Bill, but Clegg's successor, Tim Farron, seemed more sceptical. As he wrote on Twitter, "Make no mistake the Liberal Democrats will fight any attempt to bring back the so-called Snooper’s Charter under a different name." And the Tory MP David Davis is unhappy too. "MPs are protected from interception warrants but their communications data has no such protection, leaving whistleblowers vulnerable."

May said that there will be a further consultation on the proposals and "pre-legislative scrutiny by a Joint Committee of Parliament," after which a revised Bill will be presented in spring next year. She also gave an update on the Data Retention and Investigatory Powers Act (DRIPA), which will cease to apply on December 31, 2016. May emphasised, "It is our intention to pass a new law before that date."